"Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets," Kaspersky researcher Sergey Puzan said.
Kaspersky outlines the FakeWallet campaign
Cybersecurity researchers at Kaspersky uncovered 26 malicious iOS applications — collectively dubbed FakeWallet — that impersonate popular cryptocurrency wallets and aim to steal recovery phrases and private keys. The apps have been active since at least fall 2025 and mimic wallets including Bitpie, Coinbase, imToken, Ledger, MetaMask, TokenPocket, and Trust Wallet. According to Kaspersky, many of the 26 apps were taken down by Apple following disclosure.
Tactics: App Store listings, typos, and region-specific distribution
The FakeWallet apps present a notable shift in distribution tactics. Unlike earlier campaigns that relied on bogus websites and abused iOS provisioning profiles, these applications were "directly available for download from Apple's App Store if a user has their Apple account set to China." The malicious listings often use icons that mirror legitimate wallets and intentional typos in their names (for example, "LeddgerNew") to trick users into installing them. In some cases, the app names and icons had no direct connection to cryptocurrency; they were used as placeholders that direct users to download an official wallet through the malicious channel by claiming the legitimate app is "unavailable in the App Store" for regulatory reasons.
How the malware captures seed phrases and keys
Kaspersky reports the operators deliver trojanized wallet code or inject malicious libraries to intercept mnemonic recovery phrases. The seed phrases are captured in two main ways described by the researchers: by hooking the code responsible for the screen where users enter their recovery phrase, or by serving phishing pages that instruct victims to enter their mnemonics as part of a supposed verification step. Kaspersky also identified builds that use optical character recognition (OCR) to extract wallet recovery phrases from screens — a capability that appears in some FakeWallet samples.
On delivery mechanisms, Puzan said the attackers use a mix of methods: "In most cases, the malware is delivered via a malicious library injection, though we've also come across builds where the app's original source code was modified." Kaspersky further noted several similar apps that lack active malicious features but mimic benign services such as games, calculators, or task planners; those apps open a browser link and leverage enterprise provisioning profiles to install a wallet app on the victim's device.
Attribution and links to prior campaigns
Kaspersky suspects the FakeWallet campaign may be linked to the SparkKitty trojan campaign from the prior year. The suspicion is based on shared capabilities — notably OCR modules that steal wallet recovery phrases — and linguistic and targeting signals: both campaigns "appear to be the work of native Chinese speakers and specifically target cryptocurrency assets." The researchers emphasized the campaign is "gaining momentum" through new tactics, from App Store phishing apps to embedding into cold wallet apps and using sophisticated phishing notifications to trick users into revealing mnemonics.
Cyble: MiningDropper (aka BeatBanker) and Android supply-chain tactics
Separately, Cyble reported a sophisticated Android malware delivery framework called MiningDropper, also known as BeatBanker. MiningDropper blends cryptocurrency mining with information theft, remote access, and banking malware and has been used in attacks targeting users in India, Latin America, Europe, and Asia as part of a BTMOB RAT campaign. Cyble traces distribution to a trojanized build of the open-source Android project Lumolight and to fake websites impersonating banking institutions and regional transport offices.
Technically, Cyble describes MiningDropper as employing "a multi-stage payload delivery architecture that combines XOR-based native obfuscation, AES-encrypted payload staging, dynamic DEX loading, and anti-emulation techniques." The design gives operators flexibility in final payload delivery and makes static analysis more difficult, allowing reuse of the same distribution and installation framework across hundreds of samples while adapting monetization objectives to operational needs.
What this means for end users, security teams, and developers
- End users: The campaign targets mnemonic recovery phrases — the keys to both hot and cold wallets — by mimicking legitimate wallet icons and names, redirecting users to counterfeit App Store–like pages, or serving phishing pages. Users with Apple accounts set to China were specifically able to download these FakeWallet apps from the App Store, per Kaspersky's findings.
- Security teams and technologists: The operators use library injection, modified source builds, OCR modules, and enterprise provisioning profile techniques. Teams responsible for mobile app vetting and incident response should note the range of delivery and exfiltration mechanisms described and the campaign's ability to reuse modular components across samples.
- Developers and maintainers of wallet apps: Kaspersky found modules tailored to specific wallets and instances where attackers modified original source code or injected malicious libraries. That pattern highlights a dual threat: cloned-looking storefronts that shepherd users into trojanized installs, and direct tampering with app builds or libraries.
The FakeWallet disclosures and Cyble's MiningDropper findings together show threat actors combining app-store distribution, provisioning-profile installs, modified builds, and layered Android frameworks to extract crypto assets or monetize devices. Attribution to SparkKitty remains a suspicion rather than a confirmed link, and Apple removed many of the reported apps after disclosure. The precise scale of successful thefts and the extent of any overlap between these campaigns remain open questions for researchers and defenders.
